Partiful, the trendy event planning app that's become the go-to replacement for Facebook Events, just patched a serious privacy vulnerability that could have exposed users' exact locations. The $27 million startup was inadvertently sharing GPS coordinates embedded in profile photos - revealing everything from home addresses to workplace locations for anyone savvy enough to check the image metadata.
Partiful has been riding high as the cool alternative to Facebook Events - Google even crowned it the best app of 2024. But the startup's rapid ascent hit a privacy speed bump this week when TechCrunch discovered the app was leaking users' precise locations through their profile photos.
The vulnerability was surprisingly straightforward. Using basic browser developer tools, anyone could access raw profile photos stored on Partiful's Google Firebase backend and extract embedded GPS coordinates showing exactly where those images were captured. For some users, that meant revealing home addresses or workplace locations down to within a few feet.
TechCrunch reporters Zack Whittaker and Amanda Silberling tested the flaw themselves, uploading a profile photo taken outside San Francisco's Moscone West Convention Center. The image's precise coordinates remained intact on Partiful's servers, confirming the security gap.
This isn't just a technical oversight - it's a fundamental privacy issue that most platforms solve automatically. Companies like Meta, Google, and Apple routinely strip metadata from uploaded images to prevent exactly this kind of exposure. The practice has become so standard that Partiful's oversight raises questions about the startup's security processes.
The timing couldn't be more awkward for Partiful, which has faced scrutiny over its founders' backgrounds. Co-founders Shreya Murthy and Joy Tao previously worked at Palantir, the data mining company that powers ICE's deportation database. Some New York promoters have even boycotted the app over these connections, making privacy missteps particularly damaging.
After TechCrunch reached out Friday with evidence of the vulnerability - including a Manhattan resident's precise address extracted from their profile photo - co-founder Joy Tao acknowledged the issue was "already on our team's radar." The company initially planned a fix for "next week" but accelerated the timeline after reporters emphasized the severity.
